Knowledge Flow Analysis for Security Protocols 



Emina Torlak, Marten van Dijk, Blaise Gassend, Daniel Jackson, and Srinivas Devadas 
{emina, marten, gassend, dnj, devadas}® mit.edu 

February 1, 2008 
Abstract 

Knowledge flow analysis offers a simple and flexible way to find flaws in security protocols. A 
protocol is described by a collection of rules constraining the propagation of knowledge amongst princi- 
pals. Because this characterization corresponds closely to informal descriptions of protocols, it allows a 
succinct and natural formalization; because it abstracts away message ordering, and handles communica- 
tions between principals and applications of cryptographic primitives uniformly, it is readily represented 
in a standard logic. A generic framework in the Alloy modelling language is presented, and instantiated 
for two standard protocols, and a new key management scheme. 

1 Introduction 

One area of major successes for formal methods has been the verification of security protocols. A number of 
specialized tools have been developed in the last decade that have exposed subtle flaws in existing protocols 
(see, e.g. [12; 29]). For the most part, however, these tools have been used by the researchers that developed 
them, and less attention has been paid to usability issues. 

This paper presents a new approach to formulating and checking cryptographic protocols. It does not 
enable any new form of analysis. Instead, it makes verification more accessible to the designers of protocols. 
Its key contribution is a new characterization of these protocols that is both closer to how designers conceive 
them, and amenable to a more direct encoding in standard first-order logic. This more direct encoding allows 
existing tools to be applied as black boxes without modification; it requires no tweaking of parameters or 
issuing of special directives by the user. Moreover, because the semantic gap between informal descriptions 
of protocols and their formalization is smaller, there are fewer opportunities for errors to creep in. 

In this paper, the Alloy modeling language is used to record the details of the protocol and its security 
goals, and the Alloy Analyzer is used to find flaws. The approach, however, requires no special features of 
Alloy or its analysis, and could be applied in the context of any formal method based on first-order logic. 
Its simplicity suggests that it may be useful in teaching; indeed, using the approach, we have explained 
cryptographic protocols to undergraduates who have had only a few weeks of experience in formal methods. 

Our approach, which we call knowledge flow analysis, gives a uniform framework for expressing the 
actions of principals, assumptions on intruders, and properties of cryptographic primitives. The dynamic 
behaviour of the protocol is described by an initial state of knowledge, and a collection of rules that dictate 
how knowledge may flow amongst principals. A state is given by a relation mapping principals to the values 
they know; the allowable knowledge flows can thus be succinctly described as a standard transition relation 
on knowledge states, written as a constraint. 

This simple setup allows us to model a range of intruder capabilities and to detect replay, parallel session, 
type flaw, and binding attacks. We have applied it to both symmetric and public-key cryptography under the 
Dolev-Yao [16] approach. The modeling framework itself is more general, however, and can be extended 
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to include the properties of cryptographic primitives [10; 14; 33; 42] and an unbounded number of sessions 
with bounded messages [11]. 

This approach grew out of an effort to check a new cryptographic scheme [20; 21]. Knowledge flow 
analysis described here was the final result of a series of incremental attempts at formalizing and checking 
the protocol using the Alloy language and tool. This process helped crystallize our intuitions, and drew out a 
number of important assumptions. The final analysis, although only performed over a finite domain, actually 
establishes the correctness of the protocol for unbounded instantiations because of a special property of this 
protocol. The Alloy models developed for this case study were generalized into a simple framework that 
was subsequently applied to some standard protocols, such as Needham-Schroeder [36] and Otway-Rees 
[40]. 

The contributions of this paper are: 

1. the knowledge flow formalism, which characterizes the dynamic behaviour of a cryptographic pro- 
tocol in terms of the increasing knowledge of the principals, avoiding the need to impose an explicit 
ordering on messages; 

2. a realization in the Alloy modelling language as a generic framework with a library of primitives that 
can be easily instantiated for a variety of protocols; 

3. soundness and completeness results that guarantee that (1) any counterexample generated by the an- 
alyzer to a security theorem is legitimate, and not an artifact of the modelling framework, formalism 
or analysis; and (2) that if a counterexample exists involving any number of message exchanges and 
any number of steps, it will be found, so long as the number of parallel sessions is within a prescribed 
bound; 

4. case study applications of the approach to two well-known protocols, one of which (Needham- 
Schroeder) is explained in detail, and to a new key management scheme based on controlled physical 
random functions [20; 21]. 

Section 2 explains the key intuitions underlying the approach, using Needham Schroeder as an example. 
Section 3 shows the complete formalization of this example, including the statement of the security goal, and 
a discussion of the counterexample corresponding to the well-known attack. Section 4 gives a mathematical 
summary of the approach without reference to any particular modeling language that might serve as a basis 
for implementations in other tools, and which makes precise the assumptions underlying the model. The 
paper closes with an evaluation and a discussion of related work. 

2 Knowledge Flow Basics 

The key idea behind knowledge flow analysis is the observation that, at the most basic level, the purpose 
of a security protocol is to distribute knowledge among its legitimate participants. A protocol is flawed 
if it allows an intruder to learn a value that is intended to remain strictly within the legitimate principals' 
pool of knowledge. To gain more intuition about knowledge flows in security applications, consider the 
Needham-Schroeder Public Key Protocol [36] shown in Figure 1. 

We have two principals, Alice and Bob, each of whom has an initial pool of knowledge represented 
with white boxes. Alice's initial knowledge, for example, consists of her own public/private key pair 
PK{A)ISK{A), identity A, nonce N A , and Bob's public key PK{B) and identity B. The purpose of 
the protocol is to distribute the nonces between Alice and Bob in such a way that the following conditions 
hold at the end: (1) Alice and Bob both know Na and Nb, and (2) no other principal knows the nonces. 
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Figure 1 : Knowledge Flow in Needham-Schroeder Protocol 



To initiate the protocol, Alice first expands her pool of knowledge to include E PK r B \(A, Na), an en- 
cryption of her identity and nonce with Bob's public key. She then sends the cipher to Bob who decrypts it 
using his private key, SK(B). At the end of the first step of the protocol, each principal's knowledge has 
increased to include the values in light gray boxes. Bob performs the second step of the protocol by adding 
Epk(A)(Na, Nb) to his current knowledge and sending the cipher to Alice. She uses her private key to 
decrypt Bob's message and extract Nb- By using Nb and PK(B), Alice can set up an authenticated and 
private channel with Bob as is done during the final step of the protocol in which Alice creates E PK ( B ) (Nb) 
and forwards it to Bob. Both Alice and Bob now know the two nonces and share all other knowledge except 
their secret keys. 

Following the flow of knowledge in the Needham-Schroeder protocol provides a crucial insight under- 
lying our analysis method. Namely, a principal can learn a value in one of three ways; he can 

• draw the value at the start, 

• compute it using his current knowledge, or 

• learn it by communication. 

Our analysis treats the latter two ways of obtaining knowledge as equivalent. Specifically, we can think of 
Alice's computing E PI ^i B \(A, Na) as her learning it from a principal called Encryptor whose initial pool 
of values includes all possible ciphers: Alice sends the tuple (PK(B), (A, Na)) to Encryptor who responds 
by sending back the encryption of (A, Na) with PK(B). 

Treating cryptographic primitives as principals allows us to consider the total pool of knowledge to be 
fixed. That is, the set of all values before and after the execution of a security protocol is the same; the only 
difference is the distribution of those values among the principals. Since we assume that principals never 
forget values, the set of principals who know a value at the end of a protocol session subsumes the set of 
principals who drew the value at the beginning. 
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The goal of analyzing knowledge flows in a protocol is to verify that particular values never leak out of 
the honest participants' pool of knowledge. In other words, we are interested in analyzing the flow of knowl- 
edge from an intruder's perspective. This observation allows us to make sound simplifying assumptions that 
drastically reduce the effort needed to formalize a protocol in terms of knowledge flows: 

• We need not encode the flows of knowledge among the honest principals, such as the flow which 
allows Alice to learn Epk(a)(Na, Nb) from Encryptor. Rather, we may assume that each honest 
principal draws all values in the total knowledge pool and specify protocols solely in terms of the 
intruders' knowledge flows (sections 4.1 and 4.2). 

• We may model all adversaries, including the untrusted public network, with a single opponent whom 
we call Oscar. The soundness of this approach is formally proved in section 4.3. Intuitively, the ap- 
proach makes sense if we note that the potential adversaries will be most effective when they collabo- 
rate and share knowledge among themselves. Hence, we can replace the (collaboration of) adversaries 
with a single principal who possesses all their knowledge, without excluding any intrusion scenarios. 

In our example, the flow of knowledge from the intruder's perspective starts with the protocol initial- 
ization message E PK r B )(A, Na), since Oscar needs no prior knowledge to learn the first cipher that Alice 
sends to Bob. In general, because Oscar includes the untrusted public network, he learns the first message 
of the protocol for free, regardless of who its intended recipient and sender are: 

Vpe{a,6}ye{a,6}uo [0 -> E PKipl) (I(p),N(e,I(p)))}. (1) 

The variables a and b denote the honest principals (Alice and Bob), and the set O stands for Oscar. The 
notation N(e,I(p)) represents the nonce that the nonce primitive N generated for the principal identified 
by I{p) using the random value e as the seed. For example, Alice's identity is 1(a) = A and Alice's 
nonce is N(e,I(a)) = Na- The empty set means that Oscar does not need prior knowledge to learn 

E PK{pf) (I(p),N(e,I(p))). 

Once his pool of knowledge includes E pk(b) (A Na ) , Oscar learns the corresponding response, E PK (Na , Nb ) ■ 
More generally 1 , 

V p 'e{a,b}, P e{a,b}uO,vev[c E PK(p) (v, N(c, I(p')))} (2) 
where c = E PK{pl) (I(p),v). 

The variable V denotes the set of all values, or the fixed pool of knowledge. Note that our formalization 
constrains the seed of Bob's nonce to be Alice's initialization message. This is needed to establish that 
Bob's nonce was generated in the context of the protocol session started by Alice with E PK f B ){A, Na). 
The resulting correspondence between the nonces prevents our analysis from sounding false alarms when 
Oscar legitimately obtains two nonces from Alice and Bob by running a valid protocol session with each. 

Oscar learns the final message, E pk ^ B )(Nb), as a consequence of knowing E PK (a)(Na, Nb). For- 
mally, 

Vp£{a,b},p>£{a,b}UO,veV 

[{E PK(p) (N(e,I(p)),v))} -> E PK(p/) (v)] . (3) 

'We use the parameter v in c instead of N(e, I(p)) because p', the recipient of c, cannot conclusively determine that v is, in 
fact, the nonce N(e, I(p)). 
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3 Example 



The Needham-Schroeder protocol is vulnerable to a parallel session attack discovered by Gavin Lowe [28]. 
This section presents a knowledge flow analysis of the protocol that reproduces Lowe's results, and gives 
a flavor of the expressiveness and simplicity of our method. We have encoded the knowledge flows in the 
Alloy modelling language [26] and used the Alloy Analyzer [25] to find the attack. However, the modelling 
pattern presented here is applicable to any first-order logic with relations and transitive closure. 

3.1 Encoding Basic Entities and Relations 

The basic components of a knowledge flow model are the sets Principal and Value, and the relations 
draws, learns, and knows (Model Excerpt 1). 

Model Excerpt 1 Generic Model of Principals and Values 

i module kf /basicdeclarations 

2 

3 abstract sig Value {} 

4 sig CompositeValue extends Value {} 

5 sig AtomicValue extends Value {} 

6 

7 abstract sig Principal { 

8 draws: set Value, 

9 owns: set draws 

10 }{ no owns & (Principal - this) .@owns } 

ii 

12 sig HonestUser extends Principal { 

13 }{ draws = Value } 

14 

is one sig Oscar extends Principal { 

16 knows: set Value, 

17 learns: knows->knows 
is }{ no "learns & iden } 

19 

20 pred InitialKnowledge ( ) { 

21 no CompositeValue & Oscar. draws } 

22 

23 pred FinalKnowledge ( ) { 

24 all v: Value | 

25 v in (Oscar . draws ) .* (Oscar . learns ) iff 

26 v in Oscar. knows } 



The set Principal includes all principals in a protocol - the legitimate protocol participants, represented 
by the subset HonestUser, and the intruders, represented by Oscar. The set Value models the fixed pool 
of knowledge on which a protocol operates. We distinguish between AtomicValues, which are uninter- 
preted, and CompositeValues, which may consist of other values and are learned by communicating with 
cryptographic primitives. In the example from Figure 1, Alice and Bob are members of HonestUser; 
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Value consists of the union of values enclosed in the boxes 'Alice' and 'Bob'; the identifiers A and B are 
AtomicV alues, and the ciphers are CompositeV alues. 

The relation draws (line 8) maps each principal to the set of values known by that principal at the 
beginning of the protocol. For example, both Alice and Bob draw Alice's identity A at the start of the 
protocol session shown in Figure 1. The declaration of owns (line 9) together with the constraint on line 
10 relate a principal to the set of drawn values which uniquely identify him. Bob, for instance, owns his 
identity, B, even though both he and Alice draw it. 

The field knows (line 16) defines the set of all values that Oscar can learn by using the knowledge 
flows available to him; this includes the knowledge obtainable from both the protocol rules and the cryp- 
tographic primitives. The acyclic relation learns (lines 17-18) encodes the partial ordering on Oscar's 
maximal knowledge, enforced by the flows from which the knowledge was acquired. For example, the pro- 
tocol rule 2 specifies that Oscar learns E PK ^(N A , N p ) from E PK ( B ){A, N A ). Hence, Oscar . knows 
contains both ciphers and Oscar, learns includes the mapping 

(E PK{B) (A, N A ), E PK(A) (N A , N B )). 

The predicate InitialKnowledge states that Oscar may not draw any composite values. Rather, he 
must learn them from the protocol rules or the primitives. The predicate FinalKnowledge specifies that 
Oscar's maximal knowledge contains a value v if and only if Oscar draws v or he learns it from a knowledge 
flow originating in his initial knowledge. 

3.2 Modelling Cryptographic Primitives 

The Needham-Schroeder protocol requires the use of cryptographic primitives to encrypt/decrypt messages 
and generate nonces. Our encoding of the knowledge flows and values associated with these primitives is 
shown in Model Excerpt 2. Note that we do not explicitly model primitives as principals. Instead, we define 
the pools of values drawn by the primitives as signatures and encode their input/output behavior as predi- 
cates. For example, the initial knowledge of Encryptor is given by the set Ciphertext, and Encryptor's 
operation is encoded in the predicates Encryptor and Decryptor. 

A Ciphertext represents an encryption of a non-empty plaintext (line 31) with a given key (line 32). 
The predicate Encryptor formalizes the encryption knowledge flow from Oscar's perspective. It states 
that, in order to learn the cipher v from the Encryptor, Oscar must provide the input x consisting of the 
plaintext and the key associated with v. Similarly, the predicate Decryptor stipulates that Oscar can learn 
the plaintext v after he presents the input x consisting of an encryption of v and the corresponding decryption 
key. 

Note that this model of ciphers accommodates both public and symmetric key encryption. Symmetric 
key encryption is the default; invoking the predicate PublicKeyCryptography switches on public key 
encryption. Any atomic value owned by a principal can serve as his public/private key pair. The public 
portion of any principal's key is accessible to Oscar through the draws relation. The decryption constraint 
on line 42 ensures that Oscar can decrypt a message only if he owns the value representing the public/private 
key pair. 

Nonces are encoded as composites with two fields, seed and id. The field id stores the identity of the 
principal to whom the nonce was issued. The predicate NonceGenerator says that, from Oscar's point 
of view, the generator will issue a nonce labeled with Oscar's identifier when presented with the input seed 
x. 
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Model Excerpt 2 Cryptographic Values and Primitives 

27 module kf /primitives/encryption 

28 open kf /basicdeclarations 

29 

30 sig Ciphertext extends CompositeValue { 

31 plaintext: some Value, 

32 key: Value } 

33 

34 pred PublicKeyCryptography ( ) { 

35 Ciphertext . key in Principal . owns & AtomicValue } 

36 

37 pred Encryptor (x: set Value, v : Value) { 

38 v in Ciphertext && x = v. key + v. plaintext } 

39 

40 pred Decryptor (x: set Value, v : Value) { 

41 some c : plaintext. v | x = (c.key + c) && 

42 (PublicKeyCryptography ( ) => 

43 c.key in Oscar. owns) } 

44 

45 pred Perf ectCryptography ( ) { 

46 (all disj cl,c2: Ciphertext | cl. plaintext ! = 

47 c2. plaintext | | cl.key != c2.key) 

48 (all c : Ciphertext | c != c.key && 

49 c != c. plaintext) } 

so module kf /primitives/nonces 
51 open kf /basicdeclarations 

52 

53 sig Nonce extends CompositeValue { 

54 seed : Value, 

55 id : Value } 

56 

57 pred NonceGenerator (x : set Value, v : Value) { 

58 v in Nonce && v. id in Oscar. owns && x = v. seed } 



3.3 Modelling Protocol Rules 

The models presented so far are a part of a generic Alloy framework developed for analyzing knowledge 
flows. This section describes the values and rules specific to the Needham-Schroeder protocol. 

Principals' identifiers are modelled as atomic values contained in the set Identity (Model Excerpt 3, 
line 64). Each principal owns an Identity (67), which also doubles as its owners' public/private key pairs 
(68). 

The ProtocolRules predicate (line 74) embeds the knowledge flow rules given by equations 1-3 
into first-order logic. The predicate ApplyRules states that the learns relation may map the set of values 
x to the value v if and only if the protocol or primitive rules define a knowledge flow from x to v. 
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Model Excerpt 3 Needham-Schroeder Protocol 

59 module kf /needham_schroeder 

60 open kf /basicdeclarations 

61 open kf /primitives/encryption 

62 open kf /primitives/nonces 

63 

64 sig Identity extends AtomicValue {} 

65 

66 pred IdentitiesAreKeys ( ) { 

67 all p : Principal | some p. owns & Identity && 

68 Ciphertext . key in Identity } 

69 

70 pred PrimitiveRules (x : set Value, v : Value) { 

71 Encryptor (x, v) | | Decryptor ( x, v) | | 

72 NonceGenerator (x, v) } 

73 

74 pred ProtocolRules (x : set Value, v : Value) { 

75 v in Ciphertext && { 

76 (x : some Oscar, draws && 

77 let text = v. plaintext, n = text & Nonce | 

78 #text = 2 && one n && n.seed in AtomicValue && 

79 n.id = text & Identity) | | 

80 (x : one Ciphertext && (some n : seed.x | 

81 #x. plaintext = 2 && v. key in x. plaintext && 

82 n . id = x . key & & 

83 v. plaintext = (x. plaintext - v. key) + n) ) | | 

84 (x : one Ciphertext && 

85 (some n : id. (x.key) & Nonce | 

86 #x. plaintext = 2 && n in x. plaintext && 

87 v. plaintext = x. plaintext - n) ) }} 

88 

89 pred ApplyRulesO { 

90 all v : Value | let x = Oscar . learns . v | 

91 some x <=> PrimitiveRules (x, v) | | 

92 ProtocolRules (x, v) } 



3.4 Checking Security 

The predicate S ecur it yAs sumptions in Model Excerpt 4 models our assumptions about the properties 
of cryptographic primitives and principals. We assume perfect public key cryptography (line 94) and the use 
of identifiers as public/private key pairs (line 95). 

The security property that the protocol should satisfy is given by the predicate SecurityTheorem. It 
states that Oscar's maximal knowledge never contains two nonces, nA and nB, such that nB is generated 
by Bob in response to a protocol initialization message sent by Alice (a cipher containing Alice's identity 
and one of her nonces). The assertion Security stitches the model together to stipulate that the security 
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property should hold if Oscar obtains his maximal knowledge by applying the knowledge flow rules to the 
values he draws. 

Model Excerpt 4 Security Assumptions and Theorem 

93 pred SecurityAssumptions ( ) { 

94 Perf ectCryptography ( ) && PublicKeyCryptography ( ) 

95 IdentitiesAreKeys ( ) } 

96 

97 pred SecurityTheorem ( ) { 

98 no disj Alice, Bob : HonestUser, 

99 nA, nB : Oscar. knows & Nonce | 

100 nA.id in Alice. owns && nB.id in Bob. owns && 

101 (some c : Ciphertext | nB. seed = c && 

102 c.key = nB.id && 

103 c. plaintext = nA.id + nA) } 

104 

105 assert Security { 

106 InitialKnowledge ( ) && FinalKnowledge ( ) && 

107 SecurityAssumptions ( ) && ApplyRulesO => 

108 SecurityTheorem ( ) } 



The Alloy Analyzer generates a counterexample to the Security assertion (Figure 2) that is a knowl- 
edge flow representation of the parallel session attack discovered by Lowe [28]. Alice uses cipherO to 
initiate the protocol with Oscar, who extracts nA and forwards it to Bob in cipherl. Thinking that he is au- 
thenticating with Alice, Bob responds with cipher2 which Oscar simply forwards to Alice. She completes 
the session with Oscar by sending him nB, which she believes is his nonce, in cipher^. Oscar now knows 
both nA and nB, contrary to our claim. 



cipherO 
plaintext: A, nA 
key: 


learns 






learns 


cipherl 
plaintext: A, nA 
key: B 


learns 


cipher2 
plaintext: nB, nA 
key: A 


learns 


cipher3 
plaintext: nB 
key: 


learns _ 












Figure 2: Parallel Session Attack on the Needham-Schroeder Protocol 



4 Knowledge Flow Analysis 

Knowledge flow analysis is based on a simple mathematical foundation. This section formalizes the ideas 
outlined in the discussion of knowledge flow basics. We describe how communication rules direct knowl- 
edge flows (4.1), show that our treatment of primitives ensures a fixed pool of values (4.2), formulate the 
analysis problem in terms of Oscar's knowledge flows (4.3), and present a small-model theorem which 
makes our analysis complete for a bounded number of parallel protocol sessions (4.4). 

4.1 Communicating Knowledge 

We denote the sets of all principals and values by P and V. A subset of P x V is a state of knowledge 
drawn from K = 2 PxV , the set of all possible states of knowledge. For a given state of knowledge k e K, 
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we say that "p knows v" if (p, v) G k. 



Definition 1 A ?w/?/e (R, ko) is a knowledge flow for (P, V) directed by the communication rules R C 

P x V x P x K and originating from the state ko G iv\ 

A communication rule describes the conditions under which one principal may gain knowledge from an- 
other. For example, the rule (e, E PK / pi \(y),p a , {(p a , PK(Pb)), (Pa, v)}) states that the encryptor e will tell 
the cipher E PK ( b ) (v)) to the principal p a if p a knows pb's public key and the plaintext v. 

Note that our definition of a communication rule limits the class of protocols expressible in the knowl- 
edge flow framework. In particular, our rules cannot be used to specify conditions under which information 
is withheld from a principal, such as "a will not tell v to b if b knows x". Although many practical protocols 
do not require this form of expressiveness, withholding of knowledge is an essential concept in systems that 
use certificates: revoking a certificate requires withholding of information. We are working on reformu- 
lating the certificate revocation problem using valid and invalid certificate sets, which should allow us to 
circumvent this limitation. 

Given a set of communication rules R, we say that k! G K is reachable from k G K via R if k! is the 
result of applying all rules in R to k at most once; i.e. k' = f R (k) where 



Definition 2 f R : K — > K such that 



f R (k) =ku{ 



(pb,v) G k,k a C k, and 
(Pa,v) : (pb, v,p a , k a ) G R, 

for some pb G P and k a G K 



A state of knowledge k n is reachable in the context of a knowledge flow (R, ko) if k n = f R (ko)- The 
maximal state of knowledge f R {ko) is the limit of k n = f^{ko) as n — > oo. A state of knowledge /^ k (k) 
is valid for a knowledge flow (R, ko) if R K C R and k C /c . Since /r(/co) is monotonically increasing 2 in 
R and ko, any valid state of knowledge is a subset of the maximal state of knowledge. Hence, the maximal 
state of knowledge is also the smallest fixed point of which subsumes ko. 

4.2 Initial Knowledge 

For each value v, Source(v) = {p : (p, v) £ ko} defines the set of principals who draw v. In the knowledge 
flow framwork, a principal p outside of Source(v) can learn v only by communicating with principals 
who know v. We therefore treat cryptographic primitives, and other computationally feasible algorithms, 
as principals. For example, suppose that, in practice, p can compute v by applying the algorithm A to 
inputs ii, 12, . ■ ■ , i n - We model A by adding the principal A to P, the tuple (A, v) to ko, and the rule 
(A, v,p, {(p,i 1 ),(p,i 2 ),... (p, i n )}) to R. 

Our treatment of primitives ensures that Knowledge(ko) = {v : (p, v) G ko for somep G P} consists 
of all learnable values. Hence, V is the same in the initial and the maximal state of knowledge, 

Knowledge(ko) = Knowledge{f^{ko))-, (4) 
which implies that we can safely restrict our analysis to the subset of R applicable to ko- Formally, 

(4) =► f R (ko) = f R{ko )(ko) and f* R (k ) = f R(h)) {k ), 

whereto) - {fa, x tB ., fa) eR: ^ ^(l) ^ } ' 

2 It is evident from Definition 2 that self-rules such as r — (p, v,p, k p ) £ R do not affect the flow of knowledge: /jj(fc) = 
/ R _{ r }(fc). We therefore assume that R does not contain any self-rules. 
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4.3 Adversaries' Knowledge 

Let O C P be a group of collaborating adversaries. We collapse O into a single principal o using the 
following merging function: 



Merge{p) 



o if p G O, 
p if p G" O 

Merge(k) = {(Merge(p),v) : (p, G fc} 
Merge(r) = (Merge(pt)),v, Merge(p a ), Merge(k a )) 
where r = (p 6 , t> ,p a , k a ) G P 

The merging of adversaries does not rule out any attacks because Merge(f R (ko)) C f^ er ^ e ^(Merge(ko)). 
We subsequently assume that Merge is implied and use P, P, and fco to refer to Merge(P), Merge(R), 
and Merge(ko). 

Security properties of protocols are expressed as predicates on the values known to Oscar in the maximal 
state of knowledge. We therefore restrict our analysis of knowledge flows to finding all the values in the 
projection of f R ^(ko) on Oscar. Specifically, we introduce the projection function gn tko an d show that its 
smallest fixed point is the image of Oscar under f R / k \ {ko). 

Definition 3 Let X — > x denote the existence of a rule (p, x, o, k a ) G R(ko) for some p G P — {o} and 
k a G K with X = {v : (o, v) G k a }. We define g^k '■ 2 V — ► 2 V as 

9R,k Q ( X ) = X U {x : X a ^ x for some X a Q X} . 

The set of values reachable from X is given by g* R ko (X), which is the limit of g 7 ^ ko (X) as n — > oo. 

Since fnik^) is monotonically increasing in R and ko, Oscar's pool of values under f^(ko) is maximized 
if (a) Oscar tells everything he knows to the honest principals and (b) the honest principals tell everything 
they know to each other. Therefore, (P — {o}) x Knowledge(ko) should be included in the maximal state 
of knowledge. This is equivalent to assuming that each honest principal draws Knowledge(ko) because 
k C /* (A*) implies that /* (k ) = f* R (k U k). 

Lemma 4 Let [(P — {o}) x Vq\ C ko with Vo = Knowledge{ko) and let k n = f R (ko)- Then there exists 
a unique set X n C V such that 

k n = [(P-{o})xV ]U[{o}xX n ]. (5) 
The set X n has the property that X n = g R ko (Xo). 
Proof. 

We use induction on n. For n = 0, X n = Xq = g RkQ (Xo). Since (P — {o}) x Vq C ko and 
Vq = Knowledge{ko), there exists a unique Xo such that ko satisfies (5). 

Let X n = g R (Xo) be a unique solution to (5) and 
Knowledge(k n ) = Vo (our induction hypothesis). We know that A; n +i = fR{k n ) and, therefore, Knowledge{k n 
Knowledge{k n ) = Vq. Together with [(P — {o}) x Vq] C k n C k n+ \, this implies the existence a unique 
X n+ i for which k n+ i satisfies (5). We now need to prove that X n+ \ = g R ^' ko (Xo). 

Definition (5) lets us infer that x G X n+ \ <^=^ (o,x) G k n+ \ = /i?(fe n ). According to Definition 
(2), (o, x) G fn{k n ) if and only if i) (o, x) G k n , which is, by (5), equivalent to x G X n , or ii) there 
exists a. p G P and k a G K such that (p, x) G k n , k a C k n , and (p,x,o,k a ) G P. Since there are no 
self -rules (o, u, o,k a ) G P, we know that p G P — {o}. This, together with x G X n+ i C Vq, implies that 
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(p, x) G [(P — {o}) x Vq] C fc n . Given [(P — {o}) x Vq\ C fe n and Vb = Knowledge(k n ), the condition 
fecr C fc ra is equivalent to 

X CT = : (o, u) € /c CT } C {v : (o, v) G fc„} = X n and 
: (o,v) G /c CT } C V Q . 

Since x G X n+ i C Vo, {f : (o, t>) G fc^} C Vq gives us (p, x, o, G R(ko). Therefore, case ii) holds if 
and only if there exists a set X a C X n such that X a — > x. By Definition (3), case i) or case ii) holds if and 
only if x G gR,k (X n )- Hence, X n+ i = gR,k {X n ) and the lemma follows by induction on n. 

□ 

4.4 Detecting Intruders 

Let m be the total number of values used in a single protocol session, including the subterms of each 
composite value. Suppose that Oscar can use only the primitives which compose or decompose inputs 
and for which the composition rules have no collisions (e.g encryptor/decryptor). Then, the theory in [41] 
implies the following: if there exists an attack in which Oscar uses w parallel protocol sessions, then such 
an attack need not involve more than w ■ m values. From (4) we infer that this corresponds to a valid state of 
knowledge f R (k a ) derived from the set k a C ko of cardinality \Knowledge(k a )\ < wm. By Lemma 4, we 
can conclusively decide whether there is an attack which uses w parallel protocol sessions by computing 

Leg* Rk (X a ) : fOT X k ° ^° 1 . (6) 

[ 3 ^ k ° y with \Knowledge(k a )\ < wm J 

5 Evaluation 

We have applied the theory developed in the previous section to check the security of the original [36] and 
modified [28] Needham-Schroeder Public Key Protocol, the Otway-Rees Mutual Authentication Protocol 
[40], and the bootstrapping and renewal protocols based on Controlled Physical Random Functions (CPUFs) 
[20; 21]. 

The knowledge flows of the protocols were embedded into Alloy using the pattern presented in section 
3. The pattern is embodied in a general Alloy framework for knowledge flow analysis which includes 
definitions of basic concepts (Model Excerpt 1), a library of primitives, and a model outline for specifying 
protocol rules and security theorems. For example, Model Excerpt 2 shows portions of Alloy modules that 
encode generic encryption/decryption and nonce generator primitives, and Model Excerpts 3 and 4 comprise 
an instantiation of the modelling outline for the Needham-Schroeder protocol. 

We have found that the Alloy framework and its associated tool support make the process of knowledge 
flow modelling fast, simple, and accurate. Our analysis is sound and, since most cryptographic primitives 
used in practice are composing/decomposing, we can make it complete for a bounded number of parallel 
sessions by applying the results from section 4.4. In the case of the modified Needham-Schroeder protocol, 
for example, we have proved that it is secure against all attacks that use two parallel sessions. The analysis 
of the Otway-Rees protocol (Appendix A) produced the type flaw attack described in [8]. We found the 
CUPFs protocols (Appendix B) to be secure for a single protocol session and, therefore, for an unlimited 
number of sessions. 

The main limitation of our approach is that it is not fully general. As pointed out in section 4.1, protocols 
that withhold information under certain conditions cannot be formulated as knowledge flows. However, this 
limitation does not significantly detract from practical usefulness of knowledge flow analysis: as far as we 
know, few practical protocols contain information-withholding rules. 
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6 Related Work 



The first formalisms designed for reasoning about cryptographic protocols are belief logics such as BAN 
logic [8], used by the Convince tool [27] with the HOL theorem prover [24], and its generalizations (GNY 
[23], AT [3], and SVO logic [44] which the C3PO tool [15] employs with the Isabelle theorem prover [39]). 
Belief logics are difficult to use since the logical form of a protocol does not correspond to the protocol itself 
in an obvious way. Almost indistinguishable formulations of the same problem lead to different results. It 
is also hard to know if a formulation is over constrained or if any important assumptions are missing. BAN 
logic and its derivatives cannot deal with security flaws resulting from interleaving of protocol steps [7] and 
cannot express any properties of protocols other than authentication [30]. To overcome these limitations, 
the knowledge flow formalism has, like other approaches [12; 29; 32; 35; 43], a concrete operational model 
of protocol execution. Our model also includes a description of how the honest participants in the protocol 
behave and a description of how an adversary can interfere with the execution of the protocol. 

Specialized model checkers such as Casper [29], Mur0 [35], Brutus [12], TAPS [13], and ProVerif [1] 
have been successfully used to analyze security protocols. Like knowledge flow analysis in Alloy, these 
tools are based on state space exploration which leads to an exponential complexity. Athena [43] is based 
on a modification of the strand space model [18]. Even though it reduces the state space explosion problem, 
it remains exponential. Multiset rewriting [17] in combination with tree automata is used in Timbuk [19]. 
The relation between multiset rewriting and strand spaces is analyzed in [9]. The relation between multiset 
rewriting and process algebras [2; 34] is analyzed in [5]. 

Proof building tools such as NRL, based on Prolog [32], have also been helpful for analyzing security 
protocols. However, they are not fully automatic and often require extensive user intervention. Model 
checkers lead to completely automated tools which generate counterexamples if a protocol is flawed. For 
theorem-proving-based approaches, counterexamples are hard to produce. 

For completeness, we note that if the initial knowledge of the intruder consists of a finite number of 
explicit (non-parameterized, non-symbolic) values, then a polynomial time intruder detection algorithm can 
be shown to exist using a generalization of the proof normalization arguments [4; 22; 31], which were 
employed in [6; 37] and have been implemented in the framework [38]. However, in practice, the initial 
knowledge of an intruder is unbounded and represented by a finite number of parameterized sets, each 
having an infinite number of elements. 

The key advantage of the knowledge flow approach over other formalisms is its simplicity and flexi- 
bility. It is simple in the sense that the underlying mathematics is straightforward and elementary; it does 
not require any specialized background (in logic). It is flexible in the sense that the same library of cryp- 
tographic primitives can be used to model different protocols and that the security of a complex scheme 
involving multiple protocols can be verified. Knowledge Flow Analysys allows modeling of confidentiality 
and authenticity via a wide range of primitives such as pairing, union, hashing, symmetric key encryption, 
public key encryption, MACs and digital signatures. 

Our formalism derives its simplicity from being just sufficiently expressive to enable modelling of prac- 
tical cryptographic protocols. In particular, existentials [17] cannot be encoded as knowledge flows; existen- 
tials are implicitly modeled in Oscar's initial knowledge. As mentioned in Section (4.1), NP-hardness proofs 
which use (existential) Horn clause reduction [17] or SAT3 reduction [41] are not applicable to Knowledge 
Flow Analysis. 

7 Conclusion 

This paper introduces a new method for formalizing and checking security protocols. Our approach enables 
natural encoding of protocol rules, simple treatment of primitives, direct embedding into first order logic, 
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and sound analysis that is also complete for many practical protocols. 

We have developed a general framework for analyzing knowledge flows using the Alloy Analyzer. The 
framework has been used to generate easily understandable knowledge flow representations of parallel ses- 
sion and type flaw attacks on the Needham-Schroeder and Otway-Rees protocols. We have also instantiated 
it with the rules for CPUFs key management protocols and verified the protocols' correctness for an unlim- 
ited number of parallel sessions. 

We believe that knowledge flow analysis may be polynomial-time decidable for some protocols. Future 
work will involve identifying the class of protocols whose knowledge flows are analyzable in polynomial 
time and developing a specialized tool for checking them. 
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Appendix A The Otway-Rees Protocol 

1 module kf /otwayreese 

2 open kf /basicdeclarations 

3 open kf /primitives/encryption 

4 open kf /primitives/nonces 
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5 

6 sig Message extends CompositeValue { 

7 contents: some Value } 

8 

9 sig Identity extends AtomicValue {} 

10 

n pred PrimitiveRules (x : set Value, v : Value) { 

12 Encryptor (x, v) | | Decryptor ( x, v) | | NonceGenerator (x, v) | | 

13 (x : Message && v in x. contents) } 

14 

is pred idCipher ( cipher : Value) { 

16 cipher : Ciphertext && 

17 some cipher . key . id & cipher . plaintext && 
is cipher . plaintext in Identity && 

19 one cipher . plaintext - cipher . key . id } 

20 

21 pred keyCipher (cipher : Value) { 

22 cipher : Ciphertext && 

23 some cipher . key . id } 

24 

25 pred messagel (m: Value) { 

26 m : Message && 

27 let cipher = m. contents & Ciphertext | { 

28 idCipher ( cipher ) && 

29 m. contents = cipher + cipher . plaintext }} 

30 

31 pred message2 (m: Value) { 

32 m : Message && 

33 some cipherl : Ciphertext | 

34 let cipher2 = m. contents & Ciphertext - cipherl | { 

35 idCipher (cipherl ) && 

36 idCipher (cipher2 ) && 

37 cipherl . plaintext = cipher2 . plaintext && 

38 m. contents = cipherl + cipher2 + cipherl . plaintext }} 

39 

40 pred message3(m: Value) { 

41 m : Message && 

42 some cipherl : Ciphertext | 

43 let cipher2 = m. contents & Ciphertext - cipherl | { 

44 keyCipher ( cipherl ) && 

45 keyCipher ( cipher2 ) && 

46 cipherl . plaintext = cipher2 . plaintext && 

47 m. contents = cipherl + cipher2 }} 

48 

49 pred message4 (m: Value) { 
so m : Message && 
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51 keyCipher (m. contents) } 

52 

53 pred ProtocolRules (x : set Value, v : Value) { 

54 (x : some Oscar. draws && messagel (v) ) | | 

55 (messagel (x) && message2 (v) && x. contents in v. contents) | | 

56 (message2 (x) && message3(v) && x . contents . key = v . contents . key) | | 

57 (message3 (x) && message4 (v) && v. contents in x. contents) } 

58 

59 pred ApplyRulesO { 

60 all v : Value | let x = Oscar . learns . v | 

61 some x <=> PrimitiveRules (x, v) | | ProtocolRules (x, v) } 

62 

63 pred SecurityAssumptions ( ) { 

64 Per f ectCryptography ( ) && 

65 all p : Principal | some p. owns & Identity } 

66 

67 pred SecurityTheorem ( ) { 

68 no oldResp, newResp : PUFResponse, 

69 renew : param. (oldResp . isRespTo) & HonestUser, 

70 cipher : Ciphertext | 

71 let oldChall = oldResp . isRespTo, newChall = newResp . isRespTo | 

72 oldChall . isHashOf : some (AtomicValue - Oscar. draws) && 

73 cipher . key . isHashOf = oldResp + renew. hash && 

74 cipher . plaintext = newResp && 

75 newChall . isHashOf = oldChall + renew. hash && 

76 newResp in Oscar. knows } 

77 

78 assert Security { 

79 InitialKnowledge ( ) && FinalKnowledge ( ) && 

so SecurityAssumptions ( ) && ApplyRulesO => SecurityTheorem ( ) } 

81 

82 pred SecurityTheorem ( ) { 



83 


no ml , m2 , m3 


, m4 


: Oscar. knows & 


84 


A, B: HonestUser. 


owns & Identity 


85 


messagel (ml ) 


&& 


message2 (m2 ) && 


86 


message3 (m3 ) 


&& 


message4 (m4 ) && 


87 


ml . contents . 


key . 


id = A && 


88 


m2 . contents . 


key . 


id = A + B && 


89 


m3 . contents . 


key . 


id = A + B && 


90 


m4 . contents . 


key . 


id = A && 


91 


m4 . contents . 


plaintext in 



92 (HonestUser . draws - Oscar. draws) & AtomicValue && 

93 m4 . contents . plaintext in Oscar, knows }} 

94 

95 assert Security { 

96 InitialKnowledge ( ) && FinalKnowledge ( ) && 

97 SecurityAssumptions ( ) && ApplyRulesO => SecurityTheorem ( ) } 
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Appendix B The CUPF Renewal Protocol 



1 module kf /primitives/hashing 

2 open kf /basicdeclarations 

3 

4 sig Hash extends CompositeValue { 

5 isHashOf: some Value } 

6 

7 pred CollisionFreeHashing ( ) { 

8 alldisj hi, h2: Hash | hl.isHashOf != h2.isHashOf } 

9 

io pred Hasher (x : set Value, v : Value) { 
n v in Hash && x = v.isHashOf } 

12 module kf/cpufs 

13 open kf /basicdeclarations 

14 open kf /primitives/encryption 

15 open kf /primitives/hashing 

16 

17 sig PUFResponse extends CompositeValue { 
is isRespTo: Value } 

19 

20 pred UniguePUFResponses ( ) { 

21 all r: PUFResponse | r.isRespTo !in (PUFResponse - r) .isRespTo } 

22 

23 sig RenewProg in Principal { 

24 param : Value, 

25 hash : AtomicValue & owns 

26 }{ param + hash in draws + knows } 

27 

28 pred SecretsNotLeaked ( ) { 

29 no (RenewProg & HonestUser) .param. isHashOf & PUFResponse && 

30 (RenewProg & HonestUser) .param in Hash } 

31 

32 pred GetResponsePrimitive (x : set Value, v : Value) { 

33 v in PUFResponse && 

34 v. isRespTo . isHashOf = Oscar. hash + Oscar. param && 

35 x = v. isRespTo } 

36 

37 pred GetSecretPrimitive (x : set Value, v : Value) { 

38 v in Hash && 

39 v.isHashOf = isRespTo . (Oscar . param) + Oscar. hash && 

40 x = v.isHashOf } 

41 

42 pred PrimitiveRules (x : set Value, v : Value) { 

43 Encryptor (x, v) | | Decryptor (x, v) | | 

44 GetResponsePrimitive (x, v) | | GetSecretPrimitive (x, v) } 
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45 

46 pred ProtocolRules (x : set Value, v : Value) { 

47 x : some Oscar, draws && { 

48 (v in (RenewProg & HonestUser) . (param + hash) ) | | 

49 (v in Ciphertext && 

so some renew: RenewProg & HonestUser | 

51 let renewHash = renew. hash | 

52 v . key . isHashOf = isRespTo .( renew . param) + renewHash && 

53 v. plaintext . IsRespTo . isHashOf = renewHash + renew. param) }} 

54 

55 pred ApplyRulesO { 

56 all v : Value | let x = Oscar . learns . v | 

57 some x <=> PrimitiveRules (x, v) | | ProtocolRules (x, v) } 

58 

59 pred SecurityAssumptions ( ) { 

60 UniquePUFResponses ( ) && Perf ectCryptography ( ) && 

61 SingleValueEncryption ( ) && CollisionFreeHashing ( ) && 

62 SecretsNotLeaked ( ) } 

63 

64 pred SecurityTheorem ( ) { 

65 no disj oldResp, newResp : PUFResponse, 

66 renew : param. (oldResp . isRespTo) & HonestUser, 

67 cipher : Ciphertext | 

68 let oldChall = oldResp . isRespTo, newChall = newResp . isRespTo | 

69 oldChall . isHashOf : some (AtomicValue - Oscar. draws) && 

70 cipher . key . isHashOf = oldResp + renew. hash && 

71 cipher . plaintext = newResp && 

72 newChall . isHashOf = oldChall + renew. hash && 

73 newResp in Oscar, knows } 

74 

75 assert Security { 

76 InitialKnowledge ( ) && FinalKnowledge ( ) && 

77 SecurityAssumptions ( ) && ApplyRulesO => SecurityTheorem ( ) } 
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